Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q & A

 

Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

By Byron V. Acohido

It’s edifying what you can find shopping in the nether reaches of the dark web.

Related: Why government encryption backdoors should never be normalized.

Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

Specifically, the researchers found:

•A ready inventory of stolen SSL/TLS certificates, along with a range of related services and products, for sale, priced from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

•Extended validation certificates, packaged with services to support malicious websites, such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

•A vendor offering to issue certificates from reputable Certificate Authorities (CAs), along with forged company documentation, as part of a package of services enabling an attacker to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

This emerging black market for machine identities is but a mere starting point for cyber criminals who recognize a huge, unguarded exposure when they see one. Thus, threat actors have begun moving with alacrity to capitalize on it, before companies get around to protecting their exposed machine identity.

Repeated missteps

As a famous American sports hero once said, “It’s Déjà vu all over again.” In cobbling together our classic business networks, we did an imperfect job setting up privileged access for human users – and we continue to pay the price.  And yet, we are about to repeat the same missteps with respect to the over-privileging of non-human, or machine, identities.

Machine identities are what make hybrid business networks possible; they are nothing less than the key to stitching together emerging IoT- and 5G-centric systems. Think about the coming generation of smart homes, public venues, utilities and transportation systems. They will require an exploding number of APIs to connect each microservice, to each software container, to each orchestration tool, on up the software stack, to each new mobile app delivering each of our daily digital experiences. …more

Q&A: How AI, digital transformation are shaking up revenue management in high tech, life sciences

By Byron V. Acohido

A recent poll of some 300 senior executives from U.S.-based life sciences and high-tech manufacturing companies sheds light on how digital transformation – and the rising role of third-party partners – have combined to create unprecedented operational challenges in the brave new world of digital commerce.

Related: AI one-upsmanship prevails in antivirus field

Model N’s 2019 State of Revenue Report surveyed CEOs, CMOs and senior sales executives from leading pharmaceutical, medical devices, high-tech manufacturing and semiconductor companies. Model N is a San Mateo, CA-based supplier of revenue management systems.

Some 78 percent of respondents said AI has altered the way they do revenue management,  while 69 percent identified digital transformation as a revenue management game changer. Meanwhile, some 90 percent of respondents reported reliance on 20 or more partners, while 70 percent said they work with 40 or more partners.

Model N’s study provides yet another perspective on the unprecedented complexities organizations must navigate to compete in an internet-centric business environment. The core challenge for just about any company seeking top line and bottom line growth boils down to solving two intricate puzzles: how to deploy advanced digital systems in just the right measure; and how to collaborate, effectively and securely, with third-party partners.

And, of course, this must be done while defending the company’s digital assets against rising cyber attacks, launched by skilled, determined threat actors.

With that in mind, Last Watchdog sat down with Model N CEO Jason Blessing to drill down on a few instructive findings from Model N’s poll — and connect the dots to some wider. Here are excerpts edited for clarity and length.

LW: How has the revenue generation landscape shifted over the past few years? …more

Q&A: How cutting out buzzwords could actually ease implementation of powerful security tools

By Byron V. Acohido

The central dilemma posed by digital transformation is this: How do companies reap the benefits of high-velocity software development without creating onerous security exposures?

Related: Golden Age of cyber spying dawns

The best practices standards and protocols to pull off this delicate balancing act have been thoroughly vetted and are readily available. And there’s certainly no shortage of sophisticated technology solutions.

So what’s missing? Why have organizations, of all sizes and in all sectors, failed to make more progress shrinking a security gap that appears, in fact, to be inexorably widening?

These were questions I discussed at RSA 2019 with Samantha Madrid, a veteran executive in the enterprise security space, who recently joined Juniper Networks as vice president, security & business strategy. Juniper has been in the vanguard of integrating security deeper into the plumbing of modern business networks.

Madrid observed that the white noise of overlapping marketing messages has not made it any easier for enterprises to chart a truer course for securing their networks. One of the first things Madrid told me she did when she arrived at Juniper was to ask her colleagues to stop using marketing buzzwords.

“A vendor should be able to explain, in simple terms, how they can help solve a customer’s problem,” she said.

Having covered tech security since 2004, I can attest that there is plenty of room for more clarity, and less hype, in security products marketing. To hear my conversation with Madrid in its entirety, please give a listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW:  Can you frame the security challenges companies are facing in today’s very dynamic environment? …more

Q&A: How cybersecurity has become a primal battleground for AI one-upsmanship

By Byron V. Acohido

A discussion of how – and why – adversaries are using artificial intelligence to juice up malicious activities
When antivirus (AV) software first arrived in the late 1980s, the science of combating computer viruses was very straightforward.

AV kept close track of known malicious files, and then quarantined or deleted any known malware that had managed to embed itself on the protected computing device. At its core, AV still does that today.

Threat actors, of course, responded by engaging AV vendors in what has turned out to be a decades-long contest of one-upmanship. They quickened their pace of creating sprawling families of malware, putting AV vendors in an endless chase to identify, and blacklist, new malware variants as quickly as possible.

What began as a game of checkers, quickly advanced to chess and then to 3D chess. That brings us to today, where AV vendors and malware distributors are engaged in a 3D chess match — infused by artificial intelligence, or AI.

I recently visited with Rajarshi Gupta, head of AI at Avast, who gave me a breakdown of how threat actors, today, are leveraging AI to support their malicious activities. Here are excerpts of our discussion, edited for clarity and length.

LW: Can you frame how AI has come into play dealing with adversaries?

Gupta: We’ve really pushed the frontiers of AI in the last decade in things like video, scene-understanding, natural language processing and even driverless cars. But, if you think about it, security is the only domain where we have to deal with a true adversary. It’s the only domain where someone who is very smart, and who has every economic incentive, can use the best tools available, including AI. To combat this, we need to utilize the best tools, and use them better than the dark side. That’s why we’re seeing the security industry continuously adopt more and more AI techniques to do battle with the black hats.

LW: And, conversely, AI is being increasingly leveraged by the attackers?

Gupta: Yes. There’s really nothing new in the basic cat and mouse chase that’s been taking place for 30 years. It’s just that both sides are now using AI to improve their respective games.

LW: Can you walk me through an illustration? …more

MY TAKE: Get ready to future-proof cybersecurity; the race is on to deliver ‘post-quantum crypto’

By Byron V. Acohido

Y2Q. Years-to-quantum. We’re 10 to 15 years from the arrival of quantum computers capable of solving complex problems far beyond the capacity of classical computers to solve.

PQC. Post-quantum-cryptography. Right now, the race is on to revamp classical encryption in preparation for the coming of quantum computers. Our smart homes, smart workplaces and smart transportation systems must be able to withstand the threat of quantum computers.

Put another way, future-proofing encryption is crucial to avoiding chaos. Imagine waiting for a quantum computer or two to wreak havoc before companies commence a mad scramble to strengthen encryption that protects sensitive systems and data, the longer we wait, the bigger the threat gets.

Related: The case for ‘zero-trust’

The tech security community gets this. One recent report estimates that the nascent market for PQC technology will climb from around $200 million today to $3.8 billion by 2028 as the quantum threat takes center stage.

I had the chance to visit at RSA 2019 with Avesta Hojjati, head of research and development at DigiCert. The world’s leading provider of digital certificates is working alongside other leading companies, including Microsoft Research and ISARA, to gain endorsement from the National Institute of Standards for breakthrough PQC algorithms, including Microsoft’s “Picnic” and ISARA’s qTESLA.

Hojjati outlined the challenge of perfecting an algorithm that can make classical computers resistant to quantum hacking — without requiring enterprises to rip-and-replace their classical encryption infrastructure. For a full drill down of our discussion, give a listen to the accompanying podcast. Below are excerpts edited for clarity and length.

LW: What makes quantum computing so different than what we have today? …more

Q&A: Why SOAR startup Syncurity is bringing a ‘case-management’ approach to threat detection

By Byron V. Acohido

There’s a frantic scramble going on among those responsible for network security at organizations across all sectors.

Related: Why we’re in the Golden Age of cyber espionage

Enterprises have dumped small fortunes into stocking their SOCs (security operations centers) with the best firewalls, anti-malware  suites, intrusion detection, data loss prevention and sandbox detonators money can buy. But this hasn’t done the trick.

There is a gaping shortage of analysts talented enough to make sense of the rising tide of data logs inundating their SIEM (security information and event management) systems. In many cases the tedious, first-level correlating of SIEM logs to sift out threats has moved beyond human capability. Some 27 percent of IT professionals who partook in a survey conducted by next-gen firewall supplier Imperva at RSA 2018 reported receiving more than 1 million security alerts daily.

Now toss in the fact that digital transformation is redoubling software development and data handling complexities. This has exponentially expanded the attack surface available to motivated, well-funded threat actors. This, in short, is the multi-headed hydra enterprises must tame in order to mitigate rising cyber risks.

Smart money

Enter SOAR, the acronym for “Security Orchestration, Automation & Response.”  SOAR, if you haven’t heard, is a hot new technology stack that takes well-understood data mining and business intelligence analytics methodologies —  techniques that are deeply utilized in financial services, retailing and other business verticals  – and applies them to cybersecurity. …more

MY TAKE: Why the next web-delivered ad you encounter could invisibly infect your smartphone

By Byron V. Acohido

Google, Facebook and Amazon have gotten filthy rich doing one thing extremely well: fixating on every move each one of us makes when we use our Internet-connected computing devices.

Related: Protecting web gateways

The tech titans have swelled into multi-billion dollar behemoths by myopically focusing on delivering targeted online advertising, in support of online retailing. This has largely shaped the digital lives we’ve come to lead.

Turns out all of this online profiling has a dark side. Cybercriminals have begun escalating their efforts to bend the legitimate online advertising and retailing fulfillment ecosystem to their whims.

This development is unfolding largely off the radar screen of the website publishers who depend on this ecosystem, says Chris Olson, CEO of the Media Trust, a 15-year-old website security vendor, based in McLean, VA that is on the front lines of mitigating this seething threat.

Meanwhile, billions of consumers who participate in this ecosystem each minute of every day remain blissfully ignorant of how they are increasingly being placed in harm’s way, simply doing routine online activities, Olson told Last Watchdog.

Losing control of risk

Like most other pressing cybersecurity challenges today, the problem is rooted in digital transformation. Specifically, to make their digital operations ever more flexible and agile, enterprises have grown ever more reliant on third-party software developers. …more